Botnets Come Roaring Back In New Year

As Rustock and Waledac begin pumping spam again, botnet experts say the bad guys will be up to their old tricks -- with some new twists -- in 2011

After a brief hiatus at the end of 2010, botnets are back. And they might have a few new tricks up their sleeves.

Security research lab NetWitness earlier this month reported increased activity on the Rustock botnet, while Websense flagged a new spam push from the well-known Waledac network. These spikes come less than a month after many research labs reported a downturn in spam activity in the final quarter of last year.

As the new year rolls out, security experts expect botnet operators will be back in full force.

Joe Stewart, director of malware research at SecureWorks, says he doesn't expect to see new attacks but rather incremental development and improvement on what's already out there. "The politically motivated attackers have started some new trends, such as opt-in botnets [and] JavaScript cross-site bots. I expect these tools to become easier to use, more effective, and more resilient in 2011," he says.

In its blog, anti-malware technology vendor Dasient predicts 2011 will bring "a large botnet cyberwar" that will be won by Zeus, the Trojan toolkit that became botnet operators' favorite mode of attack in 2010.

"2011 will likely be the year that large botnets will start more aggressively competing to sustain their growth, and users will get caught in the middle," Dasient says. Zeus has proved its ability to grow larger than other botnets and is also one of the most profitable botnets targeting financial institutions, the company says, adding that Zeus will hold its ground against other botnets that try to attack it.

As botnets become more common, many operators will simply steal infected PCs from other operators rather than build their own networks, says Dasient CTO Neil Daswani. This infighting started last year, when operators began distributing malware that actually patches vulnerabilities in the PCs it infects, making it more difficult for other botnet operators to use those flaws to infect the same PCs.

"Once the user's machine is caught in a battle between botnets, it may begin to experience slowness and unreliability that botnets have generally been able to hide in the past," Daswani says.

Social Attacks

Another emerging trend is the use of social networks for botnet command and control, says Christopher Elisan, a senior research analyst at Damballa, which makes technology for defending against botnets and other advanced threats. In the past, operators did their command and control using IRC or other channels that were relatively easy to bring down, "but you can't take down a social network," Elisan says.

The recent surge in politically motivated distributed denial-of-service attacks, such as those in support of WikiLeaks, will likely gather momentum in 2011. Some of those attacks are built on the opt-in-style approach, which lets users who support a cause set their PCs to participate. This botnet-building method can be difficult to defend against because the attacks emanate from devices and software not previously associated with botnets.

DDoS attacks also change the way botnets are used, Elisan says. While the operator of a large botnet typically parses out portions of the network to support a number of spam campaigns, a DDoS exploit might use all of the botnet's nodes in one attack. When the largest networks are used for this type of focused attack, they can be nearly impossible to defend against--a sobering thought for large businesses that will likely be the next targets.

On the other end of the spectrum, attackers are increasingly using smaller botnets to avoid detection and infect specific targets. "We've seen botnets as small as 10 computers," Elisan says. "The smaller it is, the less footprint it makes and the harder it is to detect."

Some small botnets might be given node names and addresses designed to look like everyday network designations, enabling them to hide in plain view of network administrators who don't know what to look for, he notes.

While small botnets might be useful for covert data gathering, larger ones will continue to be used for broader attacks, such as spam campaigns and DDoS exploits. But are there uses for botnets that haven't yet been conceived?

Daswani is convinced that there will be at least one new botnet application this year. There's already some use of botnets for keystroke logging, he says, and more audio and Web logging is expected.